Runtime model validation for partially-observable hybrid systems

ABSTRACT

Disclosed herein are techniques to make the synthesized monitoring conditions of partially-observable hybrid systems robust to partial observability of sensor uncertainty and partial controllability due to actuator disturbance. The approach herein shows that the monitoring conditions result in provable safety guarantees with fallback controllers that react to monitor violation at runtime.

RELATED APPLICATIONS

This application claims the benefit of U.S. Provisional PatentApplication Ser. No. 62/917,007, filed Nov. 15, 2018. In addition, thisapplication is a continuation-in-part of U.S. patent application Ser.No. 15/026,690, filed Apr. 1, 2016, which claims the benefit, under 35U.S.C. § 371, of PCT Application No. PCT/US14/60019, filed Oct. 10,2014, which claims the benefit of U.S. Provisional Application No.61/961,366, filed on Oct. 11, 2013, and U.S. Provisional Application No.61/999,318, filed Jul. 23, 2014. All of these applications are herebyincorporated in their entireties.

GOVERNMENT INTEREST

This invention was made with government support under contractCNS-1054246 from the National Science Foundation (NSF), contractFA8750-18-C-0092 from the Defense Advanced Research Projects Agency(DARPA)—and contract FA9550-16-1-0228 from the Air Force Office ofScientific Research (AFSOR). The government has certain rights in thisinvention.

FIELD OF THE INVENTION

This invention pertains to the field of cyber-physical systems (CPS),and, in particular to models approximating the behavior of CPS andmethods for monitoring the actual CPS that are based on the modelswherein the CPS are partially-observable hybrid systems.

BACKGROUND OF THE INVENTION

Formal verification provides strong safety guarantees about models ofcyber-physical systems. Hybrid system models describe the requiredinterplay of computation and physical dynamics, which is crucial toguarantee what computations lead to safe physical behavior (e.g., carsshould not collide). Control computations that affect physical dynamicsmust act in advance to avoid possibly unsafe future circumstances.Formal verification then ensures that the controllers correctly identifyand provably avoid unsafe future situations under a certain model ofphysics. But any model of physics necessarily deviates from reality and,moreover, any observation with real sensors and manipulation with realactuators is subject to uncertainty. This makes runtime validation acrucial step to monitor whether the model assumptions hold for the realsystem implementation.

Correctness arguments for cyber-physical systems crucially depend onmodels to enable predictions about their future behavior. Absent anymodels, neither tests nor verification provide any correctness resultsexcept for the limited amount of concrete (test) cases, because theycannot provide predictions for other cases. Models of physics arecrucial in CPSs, but necessarily deviate from reality. Even cybercomponents may come with surprises when their detailed implementation ismore complex than their verification model. Linking cyber and physicalcomponents with sensors and actuators adds another layer of uncertainty.These discrepancies are inevitable and call into question how safetyanalysis results about models can ever transfer to CPS implementations.Not using models, however, would invalidate all predictions.

Safety of the CPS implementation at runtime crucially depends on afaithful implementation of the model. However, even though rigorouscorrect-by-construction approaches promise provably correctimplementation of the software portion of the model, their correctnessis still predicated on meeting the assumptions of the model about thephysical environment and the physical effects of actuators. Whether ornot these environment and actuator effects are faithfully represented inthe model can only be checked from actual measurements during systemoperation at runtime. That way, runtime monitoring can help to check thepresent run of a CPS implementation.

The key question, however, is what property needs to beruntime-monitored and what a runtime monitor says about the safety ofthe system. There is a fundamental asymmetry of the power of runtimemonitoring in CPS compared to purely discrete software systems. In puresoftware, it may suffice to monitor the critical property itself andsuspend the software upon violation, raising an exception to propagatethe violation to surrounding code for mitigation. In cyber-physicalsystems any such attempt would be fundamentally flawed, because there isno way of reverting time and trying something else. For example, adesired property of a self-driving car may be to always keep at least 1ft distance to other cars. Runtime monitoring this property, however,would raise an alarm when the car is less than 1 ft away, which (whengoing fast) makes a collision inevitable and all runtime monitoringfutile. The underlying problem is that this property expressesunrealistic implicit assumptions about the continuous dynamics of a car.

Formal verification and validation play a crucial role in makingcyber-physical systems safe. Formal methods make strong guarantees aboutthe system behavior if accurate models of the system can be obtained,including models of the controller and of the physical dynamics. In CPS,models are essential; but any model that can be built necessarilydeviates from the real world. If the real system fits to the model, thebehavior of the real system can be guaranteed to satisfy the correctnessproperties verified with respect to the model. If not, then thisverification is impossible.

Cyber-physical systems span controllers and the relevant dynamics of theenvironment. Since safety is crucial for CPS, their models (e. g.,hybrid system models) need to be verified formally. Formal verificationguarantees that a model is safe with respect to a safety property. Theremaining task is to validate whether the models are adequate, such thatthe verification results transfer to the system implementation.

Actual system execution, however, provides many opportunities forsurprising deviations from the model. Faults may cause the system tofunction improperly, sensors may deliver uncertain values and actuatorsmay suffer from disturbance. The formal verification may have assumedsimpler ideal-world dynamics for tractability reasons or madeun-realistically strong assumptions about the behavior of other agentsin the environment. Simpler models are often better for real-timedecisions and optimizations, because they make predictions feasible tocompute at the required rate. The same phenomenon of simplicity forpredictability is often exploited for the models in formal verificationand validation. As a consequence, the verification results obtainedabout models of a CPS only apply to the actual CPS at runtime to theextent that the system fits to the model.

Validation (i.e., checking whether a CPS implementation fits to a model)is an interesting but difficult problem. CPS models are more difficultto analyze than ordinary (discrete) programs because of the physicalplant, the environment, sensor inaccuracies, and actuator disturbance.In CPS, models are essential; but any model necessarily deviates fromthe real world. Still, good models can be correct within certain errormargins.

SUMMARY OF THE INVENTION

For an unbroken chain of correctness guarantees, runtime monitors aresynthesized in a provably correct way from provably safe hybrid systemmodels. This paper advances these techniques to make the synthesizedmonitoring conditions robust to partial observability of sensoruncertainty and partial controllability due to actuator disturbance. Weshow that the monitoring conditions result in provable safety guaranteeswith fallback controllers that react to monitor violation at runtime. Weevaluate the method by synthesizing monitoring conditions from existingcase studies on train and road traffic control.

Herein we introduce a method (referred to herein as “ModelPlex”) tosynthesize monitors by theorem proving. The method uses sound proofrules to formally verify that a model is safe and to synthesize provablycorrect monitors that validate compliance of system executions with themodel.

This invention performs runtime model validation. That is, validatingwhether a model, shown for example, in FIG. 3 as reference number 100,which is assumed for verification purposes is adequate for a particularsystem execution to ensure that the verification results apply to thecurrent execution. The invention checks system execution with respect toa monitor specification 104, and thus, belongs to the field of runtimeverification. Herein, the term runtime validation is used to clearlyconvey the purpose of monitoring. While “runtime verification” monitorsproperties without offline verification, “runtime validation” monitorsmodel adequacy to transfer offline verification results. The focus ofthe invention is on verifiably correct runtime validation to ensure thatverified properties of models provably apply, which is important forsafety and certification of CPS.

If an observed system execution fits to the verified model 12, then thisexecution is safe according to the offline verification result about themodel. If it does not fit, then the system is potentially unsafe becauseit no longer has an applicable safety proof, so a verified fail-safeaction to avoid safety risks is initiated. Checking whether a systemexecution fits to a verified model 12 includes checking that the actionschosen by the (unverified) controller implementation fit to one of thechoices and requirements of the verified controller model. It alsoincludes checking that the observed states can be explained by the plantmodel. The crucial questions are: How can a compliance monitor besynthesized that provably represents the verified model? How much safetymargin does a system need to ensure that fail-safe actions are initiatedearly enough for the system to remain safe even if its behavior ceasesto comply with the model?

The second question is related to feedback control and can only beanswered when assuming constraints on the deviation of the real systemdynamics from the plant model. Otherwise, if the real system can beinfinitely far off from the model, safety guarantees are impossible. Bythe sampling theorem in signal processing, such constraints furtherenable compliance monitoring solely on the basis of sample pointsinstead of the unobservable intermediate states about which no sensordata exists. When such constraints are not available, the method of thepresent invention still generates verifiably correct runtime tests,which detect deviation from the model at the sampling points, not justbetween them. A fail-safe action will then lead to best-effortmitigation of safety risks (rather than guaranteed safety).

As presented herein, the present invention is a method to synthesizeverifiably correct runtime validation monitors automatically. ModelPlexuses theorem proving with sound proof rules to turn hybrid system modelsinto monitors in a verifiably correct way. Upon non-compliance with themodel, ModelPlex initiates provably safe fail-safe actions.

ModelPlex is a principle to build and verify high-assurance controllersfor safety-critical computerized systems that interact physically withtheir environment. It guarantees that verification results about CPSmodels transfer to the real system by safeguarding against deviationsfrom the verified model. Monitors created by ModelPlex are provablycorrect and check at runtime whether or not the actual behavior of a CPScomplies with the verified model and its assumptions. Uponnon-compliance, ModelPlex initiates fail-safe fallback strategies. Toinitiate the fallback strategies early enough, ModelPlex uses predictionon the basis of disturbed plant models to check safety for the nextcontrol cycle. This way, ModelPlex ensures that verification resultsabout a model of a CPS transfer to the actual system behavior atruntime.

For partially-observable systems, the approach disclosed herein provideoffline safety proofs which ensure that a controller avoids all safetyviolations with respect to an explicit model of physics and offlinemonitor synthesis turns these models into runtime monitors that act inadvance with provable safety guarantees about the true CPS/Lastly, themethod provides offline proofs to justify that all future model behaviorwill be safe if the monitor is satisfied at runtime. For example, thespecification “keep at least 1 ft distance to other cars” in thedisclosed approach considers the dynamics and therefore results in amonitor “always keep sufficient stopping distance” that acts ahead oftime as opposed to after a collision is inevitable.

FIG. 5, View (A) illustrates the intuition behind safety proofs andtheir relation to system execution and monitoring: A system should stayoutside unsafe states (collision) so it has to avoid all paths thatmight eventually end up in unsafe states ((car)collision). A safetyproof ([car]¬collision) shows that a model α (car) of the system indeedavoids such paths, no matter how often it is repeated (car*). Atruntime, as shown in View(B) of FIG. 5, implementation correctness canbe checked with monitors that inspect sensors and influence decisions oneach iteration α (every time the controller of the loop α* runs. Toguarantee safety, monitors must provably detect when the system is aboutto enter a path to the unsafe states. Such an approach cruciallyrequires logical foundations for analyzing both [car]¬collision safetyand <car>collision liveness in the same framework, which the describedchosen differential dynamic logic supports.

The methods disclosed herein advance techniques for these questions fromprior work, disclosed in U.S. patent application Ser. No. 15/026,690,incorporated herein in its entirety, with built-in systematic ways ofcoping with the inevitable complications of sensor uncertainty andactuator disturbance in partially observable hybrid systems.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 shows the use of ModelPlex monitors along a system execution.

FIG. 2 show the water tank simulation using monitors

FIG. 3 is a high level flow chart of the process of deriving monitorsfrom a model.

FIG. 4 is a flow chart of the “Analyze Monitor Specification” step ofthe process shown in FIG. 3.

FIG. 5 illustrates the intuition behind safety proofs and their relationto system execution and monitoring.

FIG. 6 shows a model monitor in which a system execution is checked forvalidation against a model.

FIG. 7, View (A) is a graph showing that controller observe truebehavior through sensors. View (B) is a graph showing that monitors mustcheck for the existence of a behavior that fits the model and explainsthe observed measurements.

FIG. 8 is a graph showing measurements with sensor uncertainty, showingtrue values and measured values.

FIG. 9 is a graph showing the bounds for a variable being derived from ameasurement history and the detection of excess drift over time.

DETAILED DESCRIPTION

Preliminaries: Differential Dynamic Logic

For hybrid systems verification differential dynamic logic d

is used, which has a notation for hybrid systems as hybrid programs. d

allows us to make statements that we want to be true for all runs of ahybrid program ([α]Ø) or for at least one run (<α>Ø) of a hybridprogram.

Both constructs are necessary to derive safe monitors: [α]Ø proofs areneeded to ensure that all behavior of a model (including controllers) issafe; <α>Ø proofs are needed to find monitor specifications that detectwhether or not system execution fits to the verified model.

Table 1 summarizes the relevant syntax fragment of hybrid programstogether with an informal semantics. The semantics ρ(α) of hybridprogram α is a relation on initial and final states of running α. Theset of d

formulas is generated by the following grammar (<∈{<, ≤, =, ≥, >} andθ₁, θ₂ are arithmetic expressions in +, −, ·,/over the reals):ϕ::=θ₁˜θ₂ |¬ϕ|ϕ∧ψ|ϕ∨ψ|ϕ→ψ|∀xϕ|∃xϕ|[α]ϕ|<α>ϕ

Differential dynamic logic comes uses a theorem prover with averification technique to prove correctness properties of hybridprograms. One example of a theorem prover and the one that is used inthe preferred embodiment of the invention is KeYmaera.

TABLE 1 Hybrid program representations of hybrid systems. StatementEffect α; β sequential composition, first run hybrid program α, thenhybrid program β α ∪ β nondeterministic choice, following either hybridprogram α or β α* nondeterministic repetition, repeats hybrid program αn ≥ 0 times x := θ assign value of term θ to variable x (discrete jump)x := * assign arbitrary real number to variable x ?F check that aparticular condition F holds, and abort if it does not (x_(i)′ = θ_(i),. . . , evolve x_(i) along differential equation system x_(i)′ = θ_(i)x_(n)′ = θ_(n) & F′) restricted to maximum evolution domain F′ModelPlex Approach for Verified Runtime Validation

CPS are almost impossible to get right without sufficient attention toprior analysis, for instance by formal verification and formalvalidation techniques. We assume to be given a verified model of a CPS,i.e. formula (1) is proved valid. Note that differential dynamic logic(d

) and KeYmaera as a theorem prover are used to illustrate the conceptsherein. The concept of ModelPlex is not predicated on the use ofKeYmaera to prove (1). Other verification techniques could be used toestablish validity of this formula. The flexibility of the underlyinglogic d

, its support for both [α]ϕ and <α>ϕ, and its proof calculus, however,are exploited for systematically constructing monitors from proofs inthe sequel.ϕ→[α*]ψ with invariat φ→[α]φs.t.ϕ→φ and φ→ψ  (1)

Eq.(1) expresses that all runs of the hybrid system α*, which start instates that satisfy the precondition Ø and repeat the model αarbitrarily many times, must end in states that satisfy the postcondition ψ. Eq.(1) is proved using some form of induction, which showsthat a loop invariant φ holds after every run of α if it was truebefore. The model α is a hybrid system model 100 of a CPS, which meansthat it describes both the discrete control actions of the controllersin the system and the continuous physics of the plant and the system'senvironment.

The safety guarantees obtained by proving Eq.(1) about the model α*transfer to the real system, if the actual CPS execution fits to α*.Because safety properties should be preserved, a CPS γ fits to a modelα*, if the CPS reaches at most those states that are reachable by themodel, i.e., ρ(γ)⊆ρ(α*). However, we do not know γ and therefore need tofind a condition based on α* that can be checked at runtime to see ifconcrete runs of γ behave like α*.

Checking the post condition ψ is not sufficient because, if ψ does nothold, the system is already unsafe. Checking the invariant φ isinsufficient as well, because if φ does not hold, the controller can nolonger guarantee safety, even though the system may not yet be unsafe.But if we detect when a CPS is about to deviate from α* before leavingφ, we can still switch to a fail-safe controller to avoid ¬ψ fromhappening.

As shown in FIG. 1, ModelPlex derives three kinds of monitors, a modelmonitor 20, a controller monitor 22, and a prediction monitor 24.Reachability between consecutive states in α, α_(ctrl), and α_(δplant)are checked by verifying states during execution against thecorresponding monitor.

Model Monitor 20—

In each state ν_(i) the sample point ν_(i−1) from the previous executionγ_(i−1) is tested for deviation from the single α, not α* i. e., test(ν_(i−1), ν_(i))∈ρ(α). If violated, other verified properties may nolonger hold for the system. The system, however, is still safe if aprediction monitor 24 was satisfied on ν_(i−1). Frequent violationsindicate an inadequate model that should be revised to better reflectreality.

Controller Monitor 22—

In intermediate state {tilde over (v)}_(i) the current controllerdecisions of the implementation γ_(ctrl) are tested for compliance withthe model, i.e., test (v_(i), {tilde over (v)}_(i))∈ρ(α_(ctrl)).Controller monitors 22 are designed for switching between controllerssimilar to Simplex. If violated, the commands from a fail-safecontroller replace the current controller's decisions to ensure that nounsafe commands are ever actuated.

Prediction Monitor 24—

In intermediate state {tilde over (v)}_(i) the worst-case safety impactof the current controller decisions are tested with respect to thepredictions of a bounded deviation plant model α_(δplant), which has atolerance around the model plant α_(plant), i.e., check ν_(i+1) □=φ forall ν_(i+1) such that ({tilde over (v)}_(i), ν_(i+1))∈ρ(α_(δplant)).Note, that all ν_(i+1) are simultaneously checked by checking {tildeover (v)}_(i) for a characterizing condition of α_(δplant). If violated,the current control choice is not guaranteed to keep the system safeuntil the next control cycle and, thus, a fail-safe controller takesover.

The assumption for the prediction monitor 24 is that the real executionis not arbitrarily far off the plant models used for safetyverification, because otherwise guarantees can neither be made onunobservable intermediate states nor on safety of the future systemevolution. A separation of disturbance causes in the models can be used:ideal plant models α_(plant) for correctness verification purposes,implementation deviation plant models α_(δplant) for monitoringpurposes. Any deviation model (e.g., piecewise constant disturbance,differential inclusion models of disturbance) is supported, as long asthe deviation is bounded and differential invariants can be found. It isassumed that monitor evaluations are at most some e time units apart(e.g., along with a recurring controller execution). Note thatdisturbance in α_(δplant) is more manageable compared to α*, as singleruns α can be focused on instead of repetitions for monitoring.

Relation Between States

A check that inspects states of the actual CPS to detect deviation fromthe model α* is systematically derived. First, a notion of state recallis established and shows that, when all previous state pairs comply withthe model, compliance of the entire execution can be checked by checkingthe latest two states (ν_(i−1), ν_(i)).

Definition 1 (State Recall).

V is used to denote the set of variables whose state we want to recall.γ_(V) ⁻=∧_(x∈v) ^(x=x−) are used to express a characterization of thevalues of variables in a state prior to a run of α, where the freshvariables x⁻ to are always presumed to occur solely in γ_(V) ⁻. Thevariables in x⁻ can be used to recall this state. Likewise, γ_(V)⁺=∧_(x∈v) ^(x=x+) is used to characterize the posterior states andexpect fresh x⁺.

With this notation, the following lemma states that an interconnectedsequence of α transitions forms a transition of α*.

Lemma 1 (Loop Prior and Posterior State).

Let α be a hybrid program and α* be the program that repeats arbitrarilymany times. Assume that all consecutive pairs of states (ν_(i−1),ν_(i))∈ρ(α) of n∈

⁺ executions, whose valuations are recalled with γ_(V)^(i)=∧_(x∈V)x=x^(i) and γ_(V) ^(i-1) are plausible with respect to themodel α, i.e.,

∧_(1≤i≤n) (γ_(V) ^(i-1)→

α

γ_(V) ^(i)) with γ_(V) ⁻=γ_(V) ⁰ and γ_(V) ⁺=γ_(V) ^(n). Then, thesequence of states originates from an α* execution from γ_(V) ⁰ to γ_(V)^(n), i.e.,

γ_(V) ⁻→

α*

γ_(V) ⁺.

Lemma 1 enables us to check compliance with the model α* up to thecurrent state by checking reachability of a posterior state from a priorstate on each execution of α (i.e., online monitoring, which is easierbecause the loop was eliminated). To find compliance checkssystematically, we construct formula (2), which relates a prior state ofa CPS to its posterior state through at least one path through the modelα. Consecutive states for α* mean before and after executions of α(i.e., α_(;) ^(↓)α_(;) ^(↓)α, not within α).γ_(V) ⁻→<α>γ_(V) ⁺  (2)

Eq.(2) is satisfied in a state v, if there is at least one run of themodel α starting in the state v recalled by γ_(V) ⁻ and which results ina state ω recalled using γ_(V) ⁺. In other words, at least one paththrough α explains how the prior state v got transformed into theposterior state ω. The d

Eq.(2) characterizes the state transition relation of the model αdirectly. Its violation indicates compliance violation. Compliance atall intermediate states cannot be observed by real-world sensors.

In principle, Eq.(2) would be a monitor, because it relates a priorstate to a posterior state through the model of a CPS, but the formulais difficult, if not impossible, to evaluate at runtime, because itrefers to a hybrid system α, which includes non-determinism anddifferential equations. The basic observation is that any equation thatis equivalent to Eq.(2) but conceptually easier to evaluate in a statewould be a correct monitor 112. We use theorem proving for simplifyingEq.(2) into quantifier-free first-order real arithmetic form so that itcan be evaluated efficiently at runtime. The resulting first-order realarithmetic formula can be easily implemented in a runtime monitor andexecuted along with the actual controller. A monitor 112 is executablecode that only returns true if the transition from the prior systemstate to the posterior state is compliant with the model 100. Thus,deviations from the model 100 can be detected at runtime, so thatappropriate fallback and mitigation strategies can be initiated.

The complexity for evaluating an arithmetic formula over the reals forconcrete numbers is linear in the formula size, as opposed to decidingthe validity of such formulas, which is doubly exponential. Evaluatingthe same formula on floating point numbers is inexpensive but may yieldwrong results due to rounding errors; on exact rationals, thebit-complexity can be non-negligible. Interval arithmetic is used toobtain reliable results efficiently.

ModelPlex Monitor Synthesis

This section introduces the nature of ModelPlex monitor specifications,the approach in this invention for generating such specifications fromhybrid system models, and how to turn those specifications into monitorcode that can be executed at runtime along with the controller.

A ModelPlex specification 104 corresponds to the d

formula (2). If the current state of a system does not satisfy aModelPlex specification 104, some behavior that is not reflected in themodel 100 occurred (e.g., the wrong control action was taken,unanticipated dynamics in the environment occurred, sensor uncertaintyled to unexpected values, or the system was applied outside thespecified operating environment).

A model monitor X_(m) checks that two consecutive states v and w can beexplained by an execution of the model α, i.e., (v, w)∈ρ(α). In thesequel, BV(α) are bound variables in α, FV(φ) are free variables in φ, Σis the set of all variables, and A\B denotes the set of variables beingin some set A but not in some other set B. Furthermore, we use v□□ todenote v projected onto the variables in A.

Theorem 1 (Model Monitor Correctness).

Let α* be provably safe, so

ϕ→[α*]ψ. Let V_(m)=BV (α)∪FV (ψ). Let v₀, v₁, v₂ v₃ . . . ∈

^(n) be a sequence of states, with v₀

ϕ and that agree on Σ\V_(m), i.e., v₀|_(Σ\V) _(m) =v_(k)|_(Σ\V) _(m) forall k. We define (v, v_(i+1))

x_(m) as x_(m) evaluated in the state resulting from v by interpretingx⁺ as v_(i+1)(x) for all x∈V_(m), i.e., v_(x) ₊ ^(v) ^(i+1(x))

x_(m). If (v_(i), v_(i+1))

x_(m) for all i<n then we have v_(n)

ψ whereX _(m)≡(ϕ|_(const)→

α

γ_(v) _(m) ⁺)  (3)and ϕ|_(const) denotes the conditions of ϕ that involve only constantsthat do not change in α, i. e., FV (ϕ|_(const))∩BV (α)=Ø.

The approach shown herein to generate monitor specifications from hybridsystem models 102 takes a verified d

formula (1) as input 100 and produces a monitor x_(m) in quantifier-freefirst-order form as output. The algorithm involves the following steps:

A d

formula (1) about a model α of the form ϕ→[α*]ψ is turned into aspecification conjecture (3) of the form ϕ|_(const)→

α

γ_(V) _(m) ⁺. See process 102, resulting in monitor specification 104 inFIG. 3.

Theorem proving on the specification conjecture (3) is applied until nofurther proof rules are applicable and only first-order real arithmeticformulas remain open. See process 106, resulting in monitor conditions108, containing only first-order logic (FOL) in FIG. 3. Process 106 isalso shown in more detail in FIG. 4, and an algorithmic representationof process 106 is shown herein.

The monitor specification x_(m) is the conjunction of the unprovablefirst-order real arithmetic formulas from open sub-goals.

Generate the Monitor Conjecture.

d

formula (1) is mapped syntactically to a specification conjecture of theform (3). By design, this conjecture will not be provable. But theunprovable branches of a proof attempt will reveal information that, hadit been in the premises, would make (3) provable. Through γ_(V) _(m) ⁺,those unprovable conditions collect the relations of the posterior stateof model α characterized by x⁺ to the prior state x, i.e., theconditions are a representation of (2) in quantifier-free first-orderreal arithmetic.

Use Theorem Proving to Analyze the Specification Conjecture.

The proof rules of d

are used to analyze the specification conjecture x_(m). These proofrules syntactically decompose a hybrid model 100 into easier-to-handleparts, which leads to sequents with first-order real arithmetic formulastowards the leaves of a proof. Using real arithmetic quantifierelimination we close sequents with logical tautologies, which do notneed to be checked at runtime since they always evaluate to true for anyinput. The conjunction of the remaining open sequents is the monitorspecification 104, which implies (2).

A complete sequence of proof rules applied to the monitor conjecture ofthe water tank is described in below. Most steps are simple whenanalyzing specification conjectures: sequential composition (

;

), nondeterministic choice (

∪

), deterministic assignment (

:=

) and logical connectives (∧r etc.) replace current facts with simplerones or branch the proof. Challenges arise from handlingnondeterministic assignment and differential equations in hybridprograms.

First, consider nondeterministic assignment x:=*. The proof rule fornondeterministic assignment (

*

) results in a new existentially quantified variable. By sequent proofrule ∃r, this existentially quantified variable is instantiated with anarbitrary term θ, which is often a new logical variable that isimplicitly existentially quantified. Weakening (Wr) removes facts thatare no longer necessary.

$( {{(*}{{))}\frac{\exists\;{{X( {x:=X} )}\phi_{1}}}{{( {x:=} {*)}}\phi}\mspace{14mu}( {\exists\; r} )\frac{{\Gamma\; \vdash \;{\phi(\theta)}},{\exists\;{x\;{\phi(x)}}},\Delta_{2}}{{\Gamma\; \vdash \;{\exists\;{x\;{\phi(x)}}}},\Delta}\mspace{14mu}({Wr})\frac{\Gamma\; \vdash \;\Delta}{{\Gamma\; \vdash \;\phi},\Delta}}} $

Optimization 1 (Instantiation Trigger).

If the variable is not changed in the remaining α, x_(i)=x_(i) ⁺ isγ_(V) _(m) ⁺ and X is not bound in γ_(V) _(m) ⁺, then instantiate theexistential quantifier by rule ∃r with the corresponding x_(i) ⁺ that ispart of the specification conjecture (i.e., θ=x_(i) ⁺), since subsequentproof steps are going to reveal θ=x_(i) ⁺ anyway.

Otherwise, a new logical variable is introduced which may result in anexistential quantifier in the monitor specification if no furtherconstraints can be found later in the proof.

Next, differential equations are handled. Even when the differentialequation can be solved, existentially and universally quantifiedvariables remain. Inspect the corresponding proof rule from the d

calculus. For differential equations it must be proven that there existsa duration t, such that the differential equation stays within theevolution domain H throughout all intermediate times {tilde over (t)}and the result satisfies φ at the end. At this point there are threeoptions:

-   -   i. Option 1: instantiate the existential quantifier, if it is        known that the duration will be t⁺;    -   ii. Option 2: introduce a new logical variable, which is the        generic case that always yields correct results, but may        discover monitor specifications that are harder to evaluate;    -   iii. Option 3: use quantifier elimination (QE) to obtain an        equivalent quantifier-free result (a possible optimization could        inspect the size of the resulting formula).

The analysis of the specification conjecture finishes with collectingthe open sequents from the proof to create the monitor specificationx_(m)

∧ (open sequent) 104. The collected open sequents may include newlogical variables and new (Skolem) function symbols that were introducedfor nondeterministic assignments and differential equations whenhandling existential or universal quantifiers. The invertible quantifierrule i∃ is used to re-introduce existential quantifiers for the newlogical variables. Often, the now quantified logical variables arediscovered to be equal to one of the post-state variables later in theproof, because those variables did not change in the model after theassignment. If this is the case, proof rule ∃σ can be used to furthersimplify the monitor specification by substituting the correspondinglogical variable x with its equal term θ.

$\mspace{79mu}{( {i\;\exists} )\frac{{\Gamma \vdash {\exists{X( {\Lambda_{i}( {\Phi_{i} \vdash \Psi_{i}} )} )}}},\Delta_{1}}{\Gamma,{\Phi_{1} \vdash \Psi_{1}},{\Delta\mspace{14mu}\ldots\mspace{14mu}\Gamma},{\Phi_{n} \vdash \Psi_{n}},\Delta}\mspace{14mu}( {\exists\sigma} )\mspace{11mu}\frac{{\phi(\theta)}_{2}}{\exists{x( {x = {\theta\bigwedge{\phi(x)}}} )}}}$ ¹Among  all  open  branches, free  logical  variable  X  only  occurs  in  the  branches  Γ, Φ_(i) ⊢ Ψ_(i), Δ ²Logical  variable  x  does  not  appear  in  term  θController Monitor Synthesis

A controller monitor x_(c), shown as reference number 112 in FIG. 3,checks that two consecutive states v and ω are reachable with onecontroller execution α_(ctrl), i. e., (v,ω)∈ρ(α_(ctrl)) withV_(c),=BV(α_(ctr))∪FV(ψ). Controller monitors 112 are systematicallyderived in processes 106 and 110 from formulas 104: φ|_(const)→

α_(ctrl)

γ_(V) _(c) ⁺. A controller monitor 112 can be used to initiatecontroller switching similar to Simplex.

Theorem 2 (Controller Monitor Correctness).

Let α of the canonical form α_(ctrl); α_(plant). Assume

ϕ→[α*]φ has been proven with invariant φ as in (1). Let v

φ|_(const)∧φ, as checked by x_(m)(Theorem 1). Furthermore, let {tildeover (v)} be a post-controller state. If (v, {tilde over (v)})

x_(c) with x_(c)≡ϕ|_(const)→

α_(ctrl)

γ_(V) _(c) ⁺ then we have that (v, {tilde over (v)})∈ρ(α_(ctrl)) and{tilde over (v)}

φ.

Monitoring in the Presence of Expected Uncertainty and Disturbance

Up to now exact ideal-world models have been considered. However,real-world clocks drift, sensors measure with some uncertainty, andactuators are subject to disturbance. This makes the exact models safebut too conservative, which means that monitors for exact models arelikely to fall back to a fail-safe controller unnecessarily often. Thissection is a discussion of how ModelPlex specifications are found suchthat the safety property (1) and the monitor specification become morerobust to expected uncertainty and disturbance. That way, onlyunexpected deviations beyond those captured in the normal operationaluncertainty and disturbance of α* cause the monitor to initiatefail-safe actions.

In d

we can, for example, use nondeterministic assignment from an interval tomodel sensor uncertainty and piecewise constant actuator disturbance, ordifferential inequalities for actuator disturbance. Such models includenon-determinism about sensed values in the controller model and oftenneed more complex physics models than differential equations withpolynomial solutions.

Currently, for finding model monitors, our prototype tool solvesdifferential equations by the proof rule (′). Thus, it finds modelmonitor specifications for differential algebraic equations withpolynomial solutions and for differential algebraic inequalities, whichcan be refined into solvable differential algebraic equations. Forprediction monitors (discussed below) d

techniques are used for finding differential variants and invariants,differential cuts, and differential auxiliaries to handle differentialequations and inequalities without polynomial solutions.

Monitoring Compliance Guarantees for Unobservable Intermediate States

With controller monitors, non-compliance of a controller implementationwith respect to the modeled controller can be detected right away. Withmodel monitors, non-compliance of the actual system dynamics withrespect to the modeled dynamics can be detected when they first occur.In such cases, a fail-safe action is switched to, which is verifiedusing standard techniques, in both non-compliance cases. The crucialquestion is: can such a method always guarantee safety? The answer islinked to the image computation problem in model checking (i. e.,approximation of states reachable from a current state), which is knownto be not semi-decidable by numerical evaluation at points;approximation with uniform error is only possible if a bound is knownfor the continuous derivatives. This implies that additional assumptionsare needed about the deviation between the actual and the modeledcontinuous dynamics to guarantee compliance for unobservableintermediate states. Unbounded deviation from the model between samplepoints just is unsafe, no matter how hard a controller tries. Hence,worst-case bounds capture how well reality is reflected in the model.

A prediction monitor is derived to check whether a current controldecision will be able to keep the system safe for time ε even if theactual continuous dynamics deviate from the model. A prediction monitorchecks the current state, because all previous states are ensured by amodel monitor and subsequent states are then safe by (1).

Definition 2 (ε-Bounded Plant with Disturbance δ).

Let α_(plant) be a model of the form x′=θ & H. An ε-bounded plant withdisturbance δ, written α_(δplant), is a plant model of the formx_(o):=0; (f(θ, δ)≤x′≤g(θ, δ)&H∧x_(o)≤ε) for some f, g with freshvariable ε>0 and assuming x_(o)′=1. That disturbance δ is constant ifx∉δ; it is additive if f(θ, δ)=θ−δ and g(θ, δ)=θ+δ.

Theorem 3 (Prediction Monitor Correctness).

Let α* be provably safe, i. e.,

ϕ→[α*]ψ has been proved using invariant φ as in (1). Let V_(p)=BV (α)∪FV([α]φ]). Let v

ϕ|_(const)∧φ, as checked by χ_(m) from Theorem 1. Further assume {tildeover (v)} such that (v, {tilde over (v)})∈ρ(α_(ctrl)), as checked by xfrom Theorem 2. If (v, {tilde over (v)})

χ_(p) with χ_(p)=(ϕ|_(const)∧ϕ)→

α_(ctrl)

(γ_(V) _(p) ⁺∧[α_(plant)]φ), then we have for all ({tilde over (v)},ω)ρ(α_(δplant)) that ω

φ.

By adding a controller execution

α_(ctrl)

prior to the disturbed plant model, we synthesize prediction monitorsthat take the actual controller decisions into account. For safetypurposes, a monitor definition without controllerχ_(p)≡(ϕ□_(const)∧ϕ)→[α_(δplant)]φ could be used, but doing so resultsin a conservative monitor, which has to keep the CPS safe withoutknowledge of the actual controller decision.

Decidability and Computability

One useful characteristic of ModelPlex beyond soundness is that monitorsynthesis is computable, which yields a synthesis algorithm, and thatthe correctness of those synthesized monitors with respect to theirspecification is decidable. See Theorem 4.

Theorem 4 (Monitor Correctness is Decidable and Monitor SynthesisComputable).

Assume canonical models of the form α≡α_(ctrl); α_(plant) without nestedloops, with solvable differential equations in α_(plant) and disturbedplants α_(δplant) with constant additive disturbance δ (see Definition.2). Then, monitor correctness is decidable, i. e., the formulas χ_(m)→

α

γ_(V) ⁺, χ_(c)→

α_(ctrl)

γ_(V) ⁺γ_(V) ⁺, and χ_(p)→

α_(ctrl)

(γ_(V) ⁺∧[α_(δplant)]φ) are decidable. Also, monitor synthesis iscomputable, i. e., the functions synth_(m):

α

γ_(V) ⁺

χ_(m), synth_(c):

α_(ctrl)

γ_(V) ⁺

χ_(c), and synth_(p):

α_(ctrl)

(γ_(V) ⁺∧[α_(δplant)]φ)

χ_(p) are computable.

Monitor Synthesis and Fallback Controller Design—Design-by-ContractMonitoring

Preconditions, postconditions and invariants are crucial conditions inCPS design. Monitors for these conditions can check (i) whether or notit is safe to start a particular controller (i. e., check that theprecondition of a controller is satisfied), (ii) whether or not acontroller complies with its specification (i. e., check that acontroller delivers set values that satisfy its post condition), and(iii) whether or not the system is still within its safety bounds (i.e., check that the loop invariant of α* is satisfied).

Precondition and post condition monitors are useful to decide whether ornot it is safe to invoke a controller in the current state, and whetheror not to trust a controller output. An invariant monitor of a CPS α*captures the main assumptions that have to be true throughout systemexecution. When an invariant monitor is unsatisfied, it may no longer besafe to run the CPS; a fail-safe controller can act as a mitigationstrategy.

Design-by-contract monitors are useful to monitor specific designdecisions, which are explicitly marked in the model. Our approachsystematically creates monitors for a complete specification of thebehavior of the model.

Monitor Synthesis

Once we found a model monitor, controller monitor, or prediction monitorspecification, we want to turn it into an actual monitor implementation(e. g., in C). The main challenge is to reliably transfer the monitorspecification, which is evaluated on

, into executable code that uses floating point representations. We usethe interval arithmetic library Apron to represent each real arithmeticvalue with an interval of a pair of floating point numbers. The intervalreliably contains the real.

For certification purposes one still has to argue for the correctness ofthe actual machine code of the synthesized monitor. This entails thatthe transformation from the monitor specification as a first-orderformula into actual code that evaluates the formula must be formallyverified. If the synthesized code is still a high-level language, acertified compiler, can be used to produce machine code. Such acomprehensive proof chain suitable for certification is part of ourongoing research.

Designing for a Fail-Safe Fallback Controller

When we design a system for a fail-safe fallback controller ctrl_(safe),it is important to know within which bounds the fail-safe controller canstill keep our CPS safe, and which design limits we want a controllerimplementation to obey. The invariant of a CPS with the fail-safefallback controller describes the safety bounds. When we start thefail-safe fallback controller ctrl_(safe) in a state where its invariantG is satisfied, it will guarantee to keep the CPS in a state thatsatisfies the safety property ψ.

So, to safely operate an experimental controller ctrl_(exp), we want amonitor that informs us when the experimental controller can no longerguarantee the invariant of the fail-safe controller or when it is aboutto violate the design limits.

A design for a CPS with a fail-safe fallback controller, therefore,involves proving two properties. First, we prove that the fail-safecontroller ctrl_(safe) ensures the safety property ψ as in Eq.(4) below.This property is only provable if we discover an invariant G for the CPSwith the fail-safe controller. Then we use G as the safety condition forgenerating a prediction monitor.Ø

[(ctrl_(safe);plant)*@inv(G)]ψ  (4)

With this generic structure in mind, we can design for a fallbackcontroller invoked by a model monitor X_(m), controller monitor X_(c),or prediction monitor X_(p). Upon violation of either X_(m), X_(c), orX_(p) by the actual system execution, the set values of a fail-safecontroller are used instead.

Monitor Synthesis Algorithm

Algorithm 1 lists the ModelPlex specification conjecture analysisalgorithm 106, which turns a specification conjecture into an actualmonitor, and is shown in flow-chart form in FIG. 4. The algorithm takesa hybrid system model α, a set of variables V that we want to monitor,and an initial condition Ø including constraints on the variables notchanged in a. (Usually, we want a monitor for all the bound variables ofthe hybrid system model, i. e., V=BV (α).

Algorithm 1: ModelPlex monitor synthesis input : A hybrid program α, aset of variables ν ⊆ BV(α), an initial condition ϕ such that |= ϕ −>[α*]ψ, output: A monitor χ_(m) such that |= χ_(m) ≡ ϕ|_(const) → <α>Y⁺,begin  | S ← ∅  | Y⁺ ← Λ_(x∈ν) x = x⁺ with fresh variables x_(i) ⁺ //Monitor conjecture  | G ← {├ ϕ|_(const) → <α>Y⁺}  | while G ≠ ∅ do //Analyze monitor conjecture  |  | foreach g ∈ G do  |  |  | G ← G − {g} |  |  | if g is first-order then  |  |  |  | if |≠ g then S ← S ∪ {g} |  |  | else  |  |  |  | {tilde over (g)} ← apply dL proof rule to g  | |  |  | G ← G ∪ {{tilde over (g)}}  |  |  |  _(—)  |  |  _(—)  |  _(—) _(—) χ_(m) ← Λ_(s∈S) s // Collect open sequentsSimulation

To illustrate the behavior of the water tank model with a fallbackcontroller, we created two monitors: Monitor X_(m) validates thecomplete model (as in the examples throughout this work) and is executedat the beginning of each control cycle (before the controller runs).Monitor X_(c) validates only the controller of the model α (comparesprior and post state of

$ {{f:=*};{?{{- 1} \leq f \leq \frac{m - x}{ɛ}}}} )$and is executed after the controller but before control actions areissued. Thus, monitor X, resembles conventional runtime verificationapproaches, which do not check CPS behavior for compliance with thecomplete hybrid model. This way, unexpected deviations from the modelare detected at the beginning of each control cycle, while unsafecontrol actions are detected immediately before they are taken. Withonly monitor X_(m) in place an additional control cycle would berequired to detect unsafe control action, whereas with only monitorX_(c) in place, deviations from the model would be missed. Note that themonitor X_(m) could be run in place of X_(c) to achieve the same effect.But monitor X_(m) implements a more complicated formula, which isunnecessary when only the controller output should be validated.

FIG. 2 shows a plot of the variable traces of one simulation run. In thesimulation the pump controller was run every 2 s (ε=2 s), indicated bythe grid for the abscissa and the marks on sensor and actuator plots).The controller was set to pump with

$\frac{5( {m - x_{0}} )}{2\; ɛ} = \frac{5}{2}$for the first three controller cycles, which is unsafe on the thirdcontroller cycle. Monitor B immediately detects this violation at t=4,because on the third controller cycle setting f=5/2 violates

$f \leq {\frac{m - x_{1}}{ɛ}.}$The fail-safe action at t=4 drains the tank and, after that, normaloperation continues until t=12. Unexpected disturbance

$x^{\prime} = {f + \frac{1}{20}}$occurs throughout t=[12, 14], which is detected by monitor X_(m). Note,that such a deviation would remain undetected with conventionalapproaches (monitor X_(c) is completely unaware of the deviation). Inthis simulation run, the disturbance is small enough to let thefail-safe action at t=14 keep the water tank in a safe state.Partially-Observable SystemsMonitor Synthesis for Verified Runtime Validation

CPS are almost impossible to get right without sufficient attention toprior analysis, for instance by formal verification. Performed offline,these approaches result in a verified model of a CPS, i.e. Eq.(5) isproved valid, for example using the differential dynamic logic proofcalculus implemented in KeYmaera X:A→[α*]S  (5)

Eq. (5) expresses that all runs of the hybrid system α*, which starts instates that satisfy the precondition A and repeat a arbitrarily manytimes, only end in states that satisfy the postcondition S. The model α*is a hybrid system model of a CPS, which means that it describes boththe discrete control actions of the controllers in the system and thecontinuous physics of the plant and the system's environment.

Whether or not the control choices, actuator and environment effects arefaithfully represented in the model can only be checked from actualmeasurements. Intuitively, such checks compare the values x in statev_(i−1) to the values x⁺ in state v_(i) taken at successive sample timesto determine compatibility of the unknown system behavior γ_(i−1) withmodel α* as shown in FIG. 6.

For example, values x=2 and x⁺=3 are compliant with the differentialequation x′=2, because starting the program at x can produce x⁺, aswitnessed by a proof of the d

formula x=2∧x⁺=3→

x′=2

x⁺=x. No x⁺<x is compliant with the program, because the program canreach only states where x⁺≥x.

ModelPlex, as described in U.S. patent application Ser. No. 15/026,690,provides the basis for obtaining such runtime checks from hybrid systemmodels both automatically and in a provably correct manner. ModelPlexanalyzes hybrid programs α, starting from monitor conditions in d

of the form

α

γ⁺, where γ⁺ is a shortcut notation for x⁺=x for all x∈BV(α) to collectthe effect of executing α. The satisfaction relation (w, v)

ϕ can be used to refer to a monitor condition that is satisfied over twostates w and v.

Definition 3 (Transition Satisfaction Relation).

The satisfaction relation (w, v)

ϕ of d

formula ϕ for a pair of states (w, v) evaluates ϕ in the state resultingfrom state w by interpreting variable x⁺ as v(x) for all x∈V, i.e., (w,v)

ϕiff w_(x) ₊ ^(v(x))∈[[ϕ]].

The central correctness result about ModelPlex, as shown by Theorem 1,guarantees that the resulting monitoring formula preserves safety (i.e.,if the monitoring formula evaluates to true with current sensormeasurements and control choices, then the system is safe).

In the following sections, the ModelPlex monitor synthesis techniquesare advanced to account for actuator disturbance and sensor uncertaintyin partially observable cases.

Robustness to Actuator Disturbance

Actuator disturbance results in discrepancies between the chosen controldecisions u and their physical effect ũ (e.g., wheel slip). A typicalpattern to model piecewise constant actuator disturbance chooses anondeterministic value i in the Δ-neighborhood around the control choiceu (but does not affect other state variables) as input to the plant:u:∈ctrl(x); ũ∈U_(Δ)(u); x′=f(x,ũ).

Actuator disturbance is partially observable by monitoring thedifference between the intended effect x′=f(x, u) and the actual effectx′=f(x,ũ) from observable quantities. As a side effect, safety andinvariant properties of models do not mention the perturbed actuatoreffect. For example, a car controller can estimate deviation from itsacceleration choice only after the fact by observing the actualresulting speed difference. The safety property of interest is usuallyabout the actual resulting speed and not the perturbed acceleration. Formonitor synthesis, we therefore adapt the input-output relation γ⁺ toconjecture existence of an effective actuator effect ũ⁺ that explainsall other effects collected in γ⁺ about a program α. The monitorcondition, shown in Eq. (6), can be turned into arithmetical form withthe prior synthesis process and preserves safety by Theorem 5.

α

∃ũ ⁺γ⁺  (6)Theorem 5 (Monitor with Actuator Disturbance Preserves Invariants).

Let α be a hybrid program of the shape u:∈ctrl(x); ũ∈U_(Δ)(u);x′=f(x,ũ). Let α* preserve an invariant J where ũ∉FV(J), so J→[α]J isvalid. Assume the system transitions from state w to v, which agree onBV(α)^(C), and assume w∈[[J]]. If the monitor condition in Eq. (6) issatisfied (i.e., (w, v)

α

∃ũ⁺γ⁺), then the invariant is preserved (i.e., v∈[[J]]).

Theorem 5 extends to multiple control outputs u and their effects withdisturbance ũ in a straightforward way. The controller u:∈ctrl(x) doesnot access u and ũ∉FV(J)

is therefore natural as no information about l needs to be maintained inthe invariant J.

Partial Observability from Sensor Uncertainty

Monitor correctness requires that all bound variables of a program α aremonitored (i.e., BV(α)⊆FV(γ⁺)). This is the appropriate behavior exceptfor variables that are unobservable in the CPS implementation. Forexample, when controllers use sensors to obtain information, only themeasurement is known, but not the true value that the sensor ismeasuring. If a variable is unobservable then it cannot be included in aruntime monitor. But there may still be indirect implications aboutunobservable quantities when they are related to observable quantities,which necessitates monitors that indirectly check the properties of thetrue quantity from the measured quantity.

Unobservability results in a crucial difference between monitoring andcontrol (and its safety proofs). Controllers estimate true behavior bytaking measurements and observing the effect of their decisions in thenext measurements that are again taken from the true values. Monitorsmust decide whether the measurements explain a true behavior that fitsto the expected behavior model. FIG. 7, View (A) is a graph showingmeasurements {circumflex over (x)} taken near the true value x for aparticular sensor. The bars indicate the uncertainty in themeasurements. FIG. 7, View (B) shows estimating true values of x fromsample measurements {circumflex over (x)}, considering {circumflex over(x)} plausible if the model behavior fits to any possible true x.

The measurements of a controller are taken from points that are linkedthrough the underlying true behavior by assumption. Monitors cannot makethis assumption, which results in a number of challenges that arediscussed in this section: (i) check existence of behavior asexplanation from a set of potential true values into a set of potentialnext true values; (ii) link explanations to a full path through sets ofpotential true values around a history of observations; and (iii)guarantee safety in both cases.

y with y∈x is used to refer to an unobservable state variable and ŷ isused to denote a measurement of y with some uncertainty Δ, soŷ∈U_(Δ)(y). Assume non-faulty sensors that function according to theircharacteristics (i.e., they reliably deliver values that only deviatefrom the true values by at most some known sensor uncertainty Δ). In animplementation, sensor fusion methods for detecting sensor faults andcorrecting measurement outliers can satisfy this assumption. Definition4 captures what it means for states to be similar with respect to ameasurement that is subject to uncertainty.

Definition 4 (Uncertainty Similarity).

Use w{circumflex over (≈)}_(y) ^(Δ) to denote the fact that w=v on{y}^(C) with w(y)∈U_(Δ)(v(ŷ)) and say that state w isΔ-uncertainty-similar to state v.

In the following paragraphs, Δ-techniques are developed to synthesizemonitors that indicate whether or not there exist states that areΔ-uncertainty-similar to measured states and connected through a programα, for measured states w and v do there exist uncertainty-similar states{tilde over (w)} and {tilde over (v)} such that {tilde over(w)}{circumflex over (≈)}_(y) ^(Δ), {tilde over (v)}{circumflex over(≈)}_(y) ^(Δ)v and

Model Monitors for Pairwise Consistency of Measurements

Monitoring based on measurements requires a decision as to whether thetrue values y fit to a model α by only looking at the measurements ŷ.Intuitively, this can be answered by finding an unobservable prior statey∈U_(Δ)(ŷ) close to the measurement ŷ, such that running the model α onthis possible y predicts a next unobservable y⁺ that is withinmeasurement uncertainty y⁺∈U_(Δ)(ŷ⁺) to the next measurement y⁺. Thisintuition is illustrated in FIG. 8: a pair of two consecutivemeasurements is plausible if the potential true values of the secondmeasurement overlap with the values predicted by the model α from one ofthe potential prior y (which is estimated from the previousmeasurement).

The goal when formalizing this intuition into monitoring conditions isto shift proof effort offline. Therefore, offline proofs are combinedwith online monitoring: (i) offline proving that the modeled dynamicsensure that all potential true values around the measurements satisfy aninvariant property for safety (contraction, see Definition 5); and (ii)online monitoring that some potential true values around themeasurements can be connected with the modeled dynamics (See Eq. 7).Both requirements are expressible by quantifying over potential truevalues in d

.

Definition 5 (Contraction). The contraction ∀y∈U_(δ)(ŷ)J of margin δ≥0ensures ∀y∈U_(δ)(ŷ)J (i.e. J for all potential values y in theδ-neighborhood of the value ŷ. Program β is contraction-safe for marginδ with measurement uncertainty Δ if ∀y∈U_(δ)(ŷ)J→[u:∈β; x′=f(x, u);?t=ε;ŷ:∈U_(Δ)(y)]∀y∈U_(δ)(ŷ)J is valid.

Monitor condition Eq.(7) answers the question of the plausibility of twomeasurements ŷ and ŷ⁺ taken t=∈ time apart according to the modeldynamics by asking for existence of true values y and y⁺.X _(m) ≡∃y∈U _(Δ)(ŷ)

u:∈ctrl(ŷ);x′=f(x,u);?t=ε;ŷ:∈U _(Δ)(y)

(∃y ⁺γ⁺)   (7)

To facilitate monitor synthesis, both measurements ŷ and ŷ⁺ are neededin a single loop iteration. Therefore, Eq.(7) takes fresh measurementsafter x′−f(x, u). Now monitor condition (7) indicates that there existtrue values close to the measurements; for these true values to have thedesired properties, the controller u:∈ctrl(ŷ) must be contraction-safe,as shown by Theorem 6.

Theorem 6 (Pairwise Measurement Monitor Preserves Invariants).

Let α be a program of the shape u:∈ctrl(ŷ); x′=f(x, u); ?t=ε;ŷ:∈U_(Δ)(y) with contraction-safe controller u:∈ctrl(ŷ) for margin Δ andmeasurement uncertainty Δ (i.e., ∀y∈U_(δ)(ŷ)J→[α]∀y∈U_(δ)(ŷ)J) is valid.Assume the system transitions from w to v, which agree on BV(α)^(C),with non-faulty sensors, so w∈[[y∈U_(Δ)(ŷ)]] and v∈[[y∈U_(Δ)(ŷ)]]. Ifthe contraction holds w∈[[∀y∈U_(δ)(ŷ)J]] and the pairwise measurementmonitor satisfies (w, v)

∃y∈U_(Δ)(ŷ)(α)(∃y⁺y⁺) then J is preserved (i.e., v∈[[J]]).

Theorem 6 extends to vectors of several unobservable variables y andtheir measured variables ŷ in a straightforward way. The test ?t=ε isreflected in monitor condition (7), so the monitor is only satisfied forstates w and v according to the sampling interval ε (formally:v(t)=w(t)+ε for clock t′=1).

Besides safety, monitoring for existence of unobservable values y thatfit to the present measurements ŷ also guarantees that the variationbetween true values is bounded, but not that it forms a linked chain ofmodel executions because true values are freshly estimated from only thelast measurement (see FIG. 7, View (B) and Proposition 1).

Proposition 1 (Bounded Variation Coincidence).

Let α be a hybrid program of the form u:∈ctrl(γ); x′=f(x, u); ?t=ε;ŷ:∈U_(Δ)(y). Assume the system transitions through the sequence ofstates v₀, v₁, . . . , v_(n), which agree on BV(α)^(C), such that(v_(i−1), v_(i))

X_(m) with Eq. (7) for all 1≤i≤n. Then there are w_(i−1){circumflex over(≈)}v_(i=1),μ{circumflex over (≈)}_(y) ^(Δ)v_(i) such that(w_(i−1),μ_(i))∈[[α]].

Proposition 2 and Corollary 1 bound the maximum variation between truevalues y and measurements ŷ that the monitor condition must allowaccording to the model.

Proposition 2 (Single-Step Variation Distance).

Let α be a hybrid program of the form u:∈ctrl(ŷ); x′=f(x, u); ?t=ε;ŷ:∈U_(Δ)(y). Assume the model transitions (w, v)∈[[α]] with intermediatestates μ and {tilde over (μ)}. such that (w,μ)∈[[u:∈ctrl(ŷ)]],(μ,{circumflex over (μ)})∈[[x′=f(x, u)]], and ({circumflex over (μ)},v)∈[[ŷ∈U_(Δ)(y)]]. If (w, v)

X_(m) then the variation distance in a single α-step is bounded:v(γ)∈U_(4Δ)(w(y)+{circumflex over (μ)}(y)) andv(y)∈U_(3Δ)(w(ŷ)+{circumflex over (μ)}(y)−μ(y)).

Corollary 1 (Multi-Step Distance).

Assume the model transitions through a sequence of states v₀, v₁, . . ., v_(n) with intermediate states μ_(i) and {circumflex over (μ)}_(i)s.t. (v_(i−1),μ_(i))∈[[u:∈ctrl(ŷ)]], (μ_(i),{circumflex over(μ)}_(i))∈[[x′=f(x, u); ?t=ε]] and ({circumflex over (μ)}_(i),v_(i))∈[[ŷ∈U_(Δ)(y)]]. If (v_(i−1), v_(i))

X_(m) for all 1≤i≤n then the variation is bounded:v_(n)(y)∈U_(2Δ(n-1))(v₀(y)+Σ_(i=1) ^(n)({circumflex over(μ)}_(i)(y)−μ_(i)(y))).

As a consequence of Proposition 2 and Corollary 1, Theorem 6 is usefulfor single-step consistency checks: such a monitor (i) keeps at leastΔ>0 safety margin with a contraction-safe controller because otherwisefreshly estimating true y from measurements on every iteration does notpreserve invariants, and (ii) detects “large” deviations that occur in asingle monitoring step. However, pairwise consistency is unable todetect gradual drift and therefore has to be safeguarded for its entire2Δ(n+1) deviation over n steps, which inhibits motion, and cannotexploit improving the safety margin Δ over a history of measurements.

Model Monitors for Rolling Consistency of Measurements

Even if measurement pairs in isolation do not exceed the detectablesingle-step violation of the previous section, the resulting aggregateddrift over multiple measurements is still detectable when we keep ahistory of the control choices. Instead of an explicit list ofmeasurement and control choice histories, the actuation and measurementhistory can be aggregated into what really matters: acceptable boundsfor the upcoming true values (area 902 in FIG. 9) and measurements (area904 in FIG. 9). The bounds are updated on each monitor execution, takinginto account the current control choice. The resulting rolling stateestimator detects gradual deviations over the course of multiplemeasurements.

Definition 6 (Non-Diverging Rolling State Estimator).

A rolling state estimator [l,u]:=e(ŷ₀,ŷ,y−y₀,Δ,[l₀,u₀] updates theestimate [l,u] from the previous measurement ŷ₀, current measurement ŷ,the modeled interpolated plant effect y−y₀ and the previous estimate[l₀,u₀] with y₀∈U_([l) ₀ _(, u) ₀ _(])(ŷ₀) and U_([l) ₀ _(, u) ₀_(])(ŷ₀)⊆U_(Δ)(ŷ). The rolling state estimator is non-diverging ifu−l≤U₀−l₀ for all ŷ₀,ŷ,y−y₀,l, u with y∈U_([l,u])(ŷ) andU_([l,u])(ŷ)⊆U_(Δ)(ŷ).

The rolling state estimator updates estimates y∈U_([l,u])(ŷ) of true yon every measurement such that the history of measurements is preservedin aggregate form. On each step, the monitor checks for existence of atrue state y in the estimate and uses the rolling state estimator toincorporate the current measurement ŷ into the estimate for the nextcheck. This also means that the plant effect y−y₀ is existentiallyquantified in the monitor condition of Eq.(8) below, so does not need tobe directly observable.

The following basic rolling state estimator is non-diverging:l=max(−Δ,ŷ ₀ −ŷ+y−y ₀ +l ₀)u=max(−Δ,ŷ ₀ −ŷ+y−y ₀ +u ₀)

For a sequence of n measurements, a non-diverging rolling stateestimator keeps tighter bounds compared to the 2Δ(n+1) bounds ofCorollary 1 without measurement history. Note that measurementstypically vary due to sensor uncertainty, so the estimate almost surelyeven improves over time by observing measurements.

The monitor condition (8) checks the plausibility of a history ofmeasurements ŷ:∈U_(Δ)(y) by estimating the true y∈U_([l,u])(ŷ) from theobservations.

$\begin{matrix}{X_{m} \equiv {\exists{y \in {{U_{\lbrack{l,u}\rbrack}( \hat{y} )}\langle {{{\overset{\overset{{remember}\mspace{14mu}{prior}\mspace{14mu}{state}}{︷}}{{y_{0}:=y};{{\hat{y}}_{0}:=\hat{y}};}\mspace{11mu} u\text{:}} \in {{ctrl}( \hat{y} )}};{x^{\prime} = {f( {x,u} )}};{{?\; t}\; = ɛ};\overset{\overset{measure}{︷}}{{\hat{y}\text{:}} \in U_{\Delta{(y)}}};\underset{\underset{{update}\mspace{14mu}{eestimator}}{︸}}{\lbrack {l,u} \rbrack:={e( {{\hat{y}}_{0},\hat{y},{y - y_{0}},\Delta,{+ \lbrack {l_{0},u_{0}} \rbrack}} )}}} \rangle( {\exists{y^{+}\gamma^{+}}} )}}}} & (8)\end{matrix}$

The dynamics x′=f(x, u) over time are reflected by the rolling stateestimator in the estimate y∈U_([l,u])(ŷ), which guarantees safety byTheorem 7.

Theorem 7 (Monitor with rolling state estimator maintains invariants).

Let α be a program of the form y₀:=y; ŷ₀=ŷ; u:∈ctrl(ŷ); x′=f(x, u);?t=ε; ŷ:∈U_(Δ)(γ); [l,u]:=e(ŷ₀,ŷ,y−y₀,Δ,[l₀, u₀]) with acontraction-safe program y₀=y; ŷ₀=ŷ; u:∈ctrl(ŷ) for margin [l,u] andmeasurement uncertainty Δ. Assume the system transitions from w to v,which agree on BV(α)^(C), with non-faulty sensors, so bothw∈[[y∈U_(Δ)(ŷ)]] and v∈[[y∈U_(Δ)(ŷ)]]. If w∈[[∀y∈U_([l,u])(ŷ)J]] and themonitor condition (8) is satisfied, i.e., (w, v)

∃y∈U_([l,u])(ŷ)<α>(∃y⁺γ⁺), then the invariant J is maintained: v∈[[J]].

Theorem 7 extends to vectors of several unobservable variables y andtheir measured variables ŷ in a straightforward way.

In summary, the approach disclosed herein improves over existing runtimemonitoring techniques with provably correct monitor conditions, explicitdynamics with sensor uncertainty and actuator disturbance, and shiftsexpensive computation offline.

Specification—

Other methods start from purely discrete monitor specifications andtherefore the continuous dynamics are implicit and unchecked (e.g., amonitor specification “always positive distance to obstacles” has theimplicit unrealistic assumption that a car can stop instantaneously fromany speed). In contrast, the approach disclosed herein starts fromsafety requirements about dynamical hybrid system models with continuousdynamics and therefore synthesizes monitor specifications that areprovably correct with respect to the dynamics model (e.g., aspecification “always positive distance to obstacles” in the approachherein results in a monitor “always sufficient stopping distance” thatacts ahead of time as opposed to after a collision).

Assumptions Between Sampling Points—

Methods that rely on discrete time or combine discrete-time withcontinuous-time descriptions require additional assumptions on thecontinuous dynamics between sampling points to be sound, which ishandled in the approach herein explicitly, to characterize partialcontrollability and partial observability and to distinguish betweendeviation caused by mere uncertainty versus actually unsafe environmentbehavior.

Offline Computation—

Some methods rely on extensive runtime computations (e.g., reachablesets). The approach herein, in contrast, performs expensive computationsoffline. At runtime, the resulting formula is only evaluated in realarithmetic for concrete sensor values and control decisions, whichenables fast enough responses.

Crucially, the approach herein proves correctness properties thatcorrectly link satisfied monitors to offline safety proofs, resulting inmonitors that warn ahead offline, and account for partialcontrollability and partial observability so that the monitored systeminherits the safety guarantees about the model.

Provable guarantees about the safety of cyber-physical systems atruntime are crucial as systems become increasingly autonomous. Formalverification techniques provide an important basis by proving safety ofCPS models, which then requires transferring the guarantees of offlineproofs to system execution. The approach herein addresses the keyquestion of how offline proofs transfer by runtime monitoring, andcrucially, what property needs to be runtime-monitored to imply safetyof the monitored system. The disclosed techniques significantly extendprevious methods to models of practical interest by implementing prooftactics for differential dynamic logic that correctly synthesize monitorconditions that are robust to bounded sensor uncertainty and boundedactuator disturbance, which are both fundamental sources of partialobservability in models.

We claim:
 1. A process for verifying compliance of a partiallyobservable cyber-physical system (CPS) with a proven hybrid model of theCPS, the hybrid model describing a desired behavior of the CPS with bothobservable and unobservable variables, comprising the steps of: derivinga monitor specification from the hybrid model in differential dynamiclogic, the monitor specification comprising a set of logical constraintsregarding behavior of the model; obtaining consecutive sensormeasurements from one or more sensors measuring one or more observablequantities during operation of the CPS; determining a monitor verdict,using the monitor specification, the monitor verdict indicating successif prior measurements of the one or more observable quantities arepredictive of future measurements of the one or more observablequantities and one or more inferred unobservable quantities within anacceptable measurement uncertainty, and, indicating failure otherwise;wherein a successful monitor verdict guarantees safety of the CPS andcompliance of the observable and unobservable true behavior of the CPSwith the hybrid model; and engaging a fallback action of the CPS whenthe monitor verdict indicates failure.
 2. The process of claim 1 whereinthe CPS includes a controller running control software, the controllerreading the one or more sensors and controlling one or more actuators,wherein the hybrid model specifies the actions of the controller, thesensors, the actuators and the resulting changes in state of the CPS toverify the desired behavior of the CPS.
 3. The process of claim 1,wherein the hybrid model describes discrete control actions of one ormore controllers in the CPS and continuous physics of the CPS and theenvironment of the CPS.
 4. The process of claim 2 wherein discrepanciesbetween the one or more sensor measurements and unobservable true valuesis due, at least in part, to disturbances in the one or more actuators.5. The process of claim 4 wherein actuator disturbances may bedetermined by monitoring differences between an intended effect of anactuator action and an actual effect of the actuator action fromobservable quantities.
 6. The process of claim 2 wherein discrepanciesbetween the one or more sensor measurements and unobservable true valuesare reflected as sensor uncertainties.
 7. The process of claim 1 furthercomprising: proving, offline, that the hybrid model ensures that allpotential true values for the one or more variables satisfy an invariantproperty of the hybrid model; and monitoring, online, that somepotential true values of the one or more variables can be connected withthe hybrid model.
 8. The process of claim 1 further comprising:identifying non-compliance of the CPS with the monitor specificationwhen two consecutive measurements for any variable show significantdeviation from the monitor specification.
 9. The process of claim 1further comprising: determining acceptable bounds for future true valuesof the one or more variables based on an aggregate of actuation andmeasurement history for the one or more variables; and updating thebounds each time second measurements are received; and determininggradual deviation of the true values of the one or more variables fromthe hybrid model over multiple measurements.
 10. The process of claim 1wherein no controller violation that can be overwritten when the monitorfails can cause unsafety of the hybrid model.
 11. The process of claim 1wherein a monitor violation will be triggered when any deviation betweenmeasurements and the hybrid model permits unsafe future model behavior.12. The process of claim 2 further comprising executing the hybrid modelin conjunction with the control software to guarantee compliance of theCPS with the hybrid model.
 13. The process of claim 2 wherein the stepof transforming the hybrid model and monitor specification into a set ofmonitor conditions further comprises applying a theorem prover to thehybrid model and monitor specification.
 14. The process of claim 2 wherethe hybrid model consists of a model monitor, a controller monitor and aprediction monitor.
 15. The process of claim 14 wherein the modelmonitor compares a current state of the CPS with a previous state of theCPS and determines if the difference between the current state and theprevious state is in compliance with the hybrid model.
 16. The processof claim 14 wherein the controller monitor monitors the controller tocheck compliance with the hybrid model.
 17. The process of claim 14wherein the prediction monitor allows deviations of the CPS system fromthe hybrid model to account for real-world imperfections.
 18. Theprocess of claim 17 wherein the model monitor, the controller monitorand the prediction monitor read the one or more sensors to determine acurrent state of the CPS.
 19. The process of claim 14 wherein the modelmonitor runs prior to the control software and determines if observedphysical behavior which occurred between the previous state of the CPSand the current state of the CPS is in compliance with the hybrid model.20. The process of claim 19 wherein the model monitor will raise anerror if the difference between the current state and the previous stateis not in compliance with the hybrid model.
 21. The process of claim 19wherein the controller monitor runs after the controller software anddetermines if physical actions to be taken by the controller will resultin the CPS being in compliance with the hybrid model.
 22. The process ofclaim 21 wherein the controller monitor raises an error if the physicalactions to be taken by the controller will result in the CPS not beingin compliance with the hybrid model.
 23. The process of claim 14 whereinthe prediction monitor runs after the control software and determines ifphysical actions to be taken by the controller will result in the CPSbeing in compliance with the hybrid model in the presence of boundeddeviations between the CPS and the hybrid model.
 24. The process ofclaim 23 wherein the prediction monitor will raise an error if thephysical actions to be taken by the controller will result in the CPSnot being in compliance with the hybrid model.
 25. The process of claim24 wherein the hybrid model comprises a set of formulas of the form:ϕ→[α*]ψ with invariat φ→[α]φs.t.ϕ→φ and φ→ψ  (1)
 26. The process ofclaim 1 wherein the monitor specification comprises a set ofspecification conjectures for model monitors of the form:Ø|_(const) →

a

γ _(V) _(m) ⁺.
 27. The process of claim 1 wherein the monitorspecification comprises a set of specification conjectures forcontroller monitors of the form:Ø|_(const) →

a _(ctrl)

γ_(V) _(c) ⁺.
 28. The process of claim 1 wherein the process isautomated if the hybrid model is of the form (α_(ctrl); α_(plant))without nested loops, with solvable differential equations in α_(plant)and a disturbed plant α_(δplant) with constant additive disturbance δ.29. The process of claim 14 wherein compliance with the model monitorguarantees that the properties of the hybrid model are present in theCPS before the controller software is executed.
 30. The process of claim14, the compliance with the controller monitor guaranteeing thatproperties of the hybrid model are present in the CPS after thecontroller software is executed.
 31. The process of claim 14, whereincompliance with the prediction monitor guarantees that properties of thehybrid model will still be present in future states of the CPS.